Cloudflare ERR_SSL_VERSION_OR_CIPHER_MISMATCH with GCP
Background
Client -> Cloudflare -> GCP LB -> Backend
To achieve this flow for traffic proxying and security, I encountered an unexpected issue during the setup process
Symptoms
After configuring Cloudflare to set the DNS as Proxy, I started encountering the error (ERR_SSL_VERSION_OR_CIPHER_MISMATCH) when trying to access the website
Root Cause: Compatibility of Cloudflare with Multi-Level Subdomains
I discovered that the core issue lies in Cloudflare’s Universal SSL certificate. Cloudflare’s Universal SSL only supports single-level subdomains (e.g., *.example.com
) and does not support multi-level subdomains (such as *.subdomain.example.com
or sub.subdomain.example.com
).
This means that even though the connection between the Load Balancer and Cloudflare is encrypted, Cloudflare still cannot provide a valid SSL connection when I access multi-level subdomains, resulting in a handshake failure error.
Solution
In my case, I reviewed all DNS records and converted multi-level subdomains to single-level subdomains. By converting multi-level subdomains to single-level, Cloudflare’s Universal SSL certificate could function correctly.
問題背景
Client -> Cloudflare -> GCP LB -> Backend
為了實現以上情境來處理流量的代理和安全性。我在設置過程中卻遇到了一個意料之外的問題
問題症狀
當我在 Cloudflare 設定完將 DNS 轉成 Proxy 後,訪問網站時反而遇到 (ERR_SSL_VERSION_OR_CIPHER_MISMATCH
)
問題根源:Cloudflare 與多層子域名的兼容性
最終,我發現問題的核心在於 Cloudflare 的 Universal SSL 憑證。Cloudflare 的 Universal SSL 憑證僅支援單層子域(例如 *.example.com
),但不支援多層子域(如 *.subdomain.example.com
或 sub.subdomain.example.com
)。
這意味著,即使 Load Balancer 和 Cloudflare 之間的連線已經加密,當我訪問多層子域名時,Cloudflare 仍無法提供有效的 SSL 連線,導致握手失敗的錯誤。
解決方法
依照我的案例,我檢查了所有 DNS List 並且將多層子玉轉乘 DNS
- 將多層子域轉換為單層子域
將多層子域轉換為單層子域,這樣 Cloudflare 的 Universal SSL 憑證也可以正常運作。
參考網站: